summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSebastian Götte <jaseg@physik.tu-berlin.de>2013-03-31 18:02:46 +0200
committerJunio C Hamano <gitster@pobox.com>2013-03-31 22:38:49 -0700
commiteb307ae7bb78ccde4e2ac69f302ccf8834883628 (patch)
tree40bed8e400a5208b7c81ff94752133818014da6b
parentefed0022492b81bf59d29193c4ffe96492dd9e9b (diff)
downloadgit-eb307ae7bb78ccde4e2ac69f302ccf8834883628.tar.gz
merge/pull Check for untrusted good GPG signatures
When --verify-signatures is specified, abort the merge in case a good GPG signature from an untrusted key is encountered. Signed-off-by: Sebastian Götte <jaseg@physik-pool.tu-berlin.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--Documentation/merge-options.txt4
-rw-r--r--builtin/merge.c3
-rw-r--r--commit.c14
-rw-r--r--commit.h10
-rw-r--r--gpg-interface.h1
-rw-r--r--t/lib-gpg/pubring.gpgbin1164 -> 2359 bytes
-rw-r--r--t/lib-gpg/random_seedbin600 -> 600 bytes
-rw-r--r--t/lib-gpg/secring.gpgbin1237 -> 3734 bytes
-rw-r--r--t/lib-gpg/trustdb.gpgbin1280 -> 1360 bytes
-rwxr-xr-xt/t7612-merge-verify-signatures.sh9
10 files changed, 29 insertions, 12 deletions
diff --git a/Documentation/merge-options.txt b/Documentation/merge-options.txt
index 31f1067521..a0f022b41d 100644
--- a/Documentation/merge-options.txt
+++ b/Documentation/merge-options.txt
@@ -85,8 +85,8 @@ option can be used to override --squash.
--verify-signatures::
--no-verify-signatures::
- Verify that the commits being merged have good GPG signatures and abort the
- merge in case they do not.
+ Verify that the commits being merged have good and trusted GPG signatures
+ and abort the merge in case they do not.
--summary::
--no-summary::
diff --git a/builtin/merge.c b/builtin/merge.c
index e57c42c622..bac11d1605 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -1248,6 +1248,9 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
switch (signature_check.result) {
case 'G':
break;
+ case 'U':
+ die(_("Commit %s has an untrusted GPG signature, "
+ "allegedly by %s."), hex, signature_check.signer);
case 'B':
die(_("Commit %s has a bad GPG signature "
"allegedly by %s."), hex, signature_check.signer);
diff --git a/commit.c b/commit.c
index 94029c9496..516a4ff7d2 100644
--- a/commit.c
+++ b/commit.c
@@ -1047,6 +1047,8 @@ static struct {
} sigcheck_gpg_status[] = {
{ 'G', "\n[GNUPG:] GOODSIG " },
{ 'B', "\n[GNUPG:] BADSIG " },
+ { 'U', "\n[GNUPG:] TRUST_NEVER" },
+ { 'U', "\n[GNUPG:] TRUST_UNDEFINED" },
};
static void parse_gpg_output(struct signature_check *sigc)
@@ -1068,11 +1070,13 @@ static void parse_gpg_output(struct signature_check *sigc)
found += strlen(sigcheck_gpg_status[i].check);
}
sigc->result = sigcheck_gpg_status[i].result;
- sigc->key = xmemdupz(found, 16);
- found += 17;
- next = strchrnul(found, '\n');
- sigc->signer = xmemdupz(found, next - found);
- break;
+ /* The trust messages are not followed by key/signer information */
+ if (sigc->result != 'U') {
+ sigc->key = xmemdupz(found, 16);
+ found += 17;
+ next = strchrnul(found, '\n');
+ sigc->signer = xmemdupz(found, next - found);
+ }
}
}
diff --git a/commit.h b/commit.h
index c24b844ad6..87b4b6cc0c 100644
--- a/commit.h
+++ b/commit.h
@@ -234,11 +234,11 @@ extern void print_commit_list(struct commit_list *list,
const char *format_last);
/*
- * Check the signature of the given commit. The result of the check is stored in
- * sig->result, 'G' for a good signature, 'B' for a bad signature and 'N'
- * for no signature at all.
- * This may allocate memory for sig->gpg_output, sig->gpg_status, sig->signer
- * and sig->key.
+ * Check the signature of the given commit. The result of the check is stored
+ * in sig->check_result, 'G' for a good signature, 'U' for a good signature
+ * from an untrusted signer, 'B' for a bad signature and 'N' for no signature
+ * at all. This may allocate memory for sig->gpg_output, sig->gpg_status,
+ * sig->signer and sig->key.
*/
extern void check_commit_signature(const struct commit* commit, struct signature_check *sigc);
diff --git a/gpg-interface.h b/gpg-interface.h
index 5884aa4052..a85cb5bc97 100644
--- a/gpg-interface.h
+++ b/gpg-interface.h
@@ -6,6 +6,7 @@ struct signature_check {
char *gpg_status;
char result; /* 0 (not checked),
* N (checked but no further result),
+ * U (untrusted good),
* G (good)
* B (bad) */
char *signer;
diff --git a/t/lib-gpg/pubring.gpg b/t/lib-gpg/pubring.gpg
index 83855fa4e1..1a3c2d487c 100644
--- a/t/lib-gpg/pubring.gpg
+++ b/t/lib-gpg/pubring.gpg
Binary files differ
diff --git a/t/lib-gpg/random_seed b/t/lib-gpg/random_seed
index 8fed1339ed..95d249f15f 100644
--- a/t/lib-gpg/random_seed
+++ b/t/lib-gpg/random_seed
Binary files differ
diff --git a/t/lib-gpg/secring.gpg b/t/lib-gpg/secring.gpg
index d831cd9eb3..82dca8f80b 100644
--- a/t/lib-gpg/secring.gpg
+++ b/t/lib-gpg/secring.gpg
Binary files differ
diff --git a/t/lib-gpg/trustdb.gpg b/t/lib-gpg/trustdb.gpg
index abace962b8..4879ae9a84 100644
--- a/t/lib-gpg/trustdb.gpg
+++ b/t/lib-gpg/trustdb.gpg
Binary files differ
diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh
index 6ccfbf367a..21a0bf8fb8 100755
--- a/t/t7612-merge-verify-signatures.sh
+++ b/t/t7612-merge-verify-signatures.sh
@@ -27,6 +27,10 @@ test_expect_success GPG 'create signed commits' '
git hash-object -w -t commit forged >forged.commit &&
git checkout initial &&
+ git checkout -b side-untrusted &&
+ echo 3 >baz && git add baz &&
+ test_tick && git commit -SB7227189 -m "untrusted on side"
+
git checkout master
'
@@ -40,6 +44,11 @@ test_expect_success GPG 'merge commit with bad signature with verification' '
test_i18ngrep "has a bad GPG signature" mergeerror
'
+test_expect_success GPG 'merge commit with untrusted signature with verification' '
+ test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
+ test_i18ngrep "has an untrusted GPG signature" mergeerror
+'
+
test_expect_success GPG 'merge signed commit with verification' '
git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput &&
test_i18ngrep "has a good GPG signature" mergeoutput